diff options
| -rw-r--r-- | wireshark/ndpi.lua | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/wireshark/ndpi.lua b/wireshark/ndpi.lua index 06d02969b..195f7dae2 100644 --- a/wireshark/ndpi.lua +++ b/wireshark/ndpi.lua @@ -33,6 +33,7 @@ ndpi_fds.name = ProtoField.new("nDPI Protocol Name", "ndpi.proto ndpi_fds.flow_risk = ProtoField.new("nDPI Flow Risk", "ndpi.flow_risk", ftypes.UINT64, nil, base.HEX) ndpi_fds.flow_score = ProtoField.new("nDPI Flow Score", "ndpi.flow_score", ftypes.UINT32) + local flow_risks = {} local num_bits_flow_risks = 64 -- 64 is the "right" value; if you want a more compact visualization you can lower it to max used bits flow_risks[0] = ProtoField.bool("ndpi.flow_risk.unused0", "Unused", num_bits_flow_risks, nil, bit(0), "nDPI Flow Risk: Unused bit") @@ -993,10 +994,23 @@ function ndpi_proto.dissector(tvb, pinfo, tree) end end end - - ndpi_subtree:add(ndpi_fds.flow_score, tvb(len-22, 2)) + + ndpi_subtree:add(ndpi_fds.flow_score, tvb(len-22, 2)) ndpi_subtree:add(ndpi_fds.name, tvb(len-20, 16)) + if(flow_score > 0) then + local level + if(flow_score <= 10) then -- NDPI_SCORE_RISK_LOW + level = PI_NOTE + elseif(flow_score <= 50) then -- NDPI_SCORE_RISK_MEDIUM + level = PI_WARN + else + level = PI_ERROR + end + + ndpi_subtree:add_expert_info(PI_MALFORMED, PI_WARN, "Non zero score") + end + if(application_protocol ~= 0) then -- Set protocol name in the wireshark protocol column (if not Unknown) pinfo.cols.protocol = name |